Date: Wed, 16 Apr 2008 13:04:39 +0300 From: Roman Otsaljuk <romzes@upstar.com.ua> To: Norman Maurer <norman@apache.org> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD7 + pf + ipsec Message-ID: <4805CF37.70008@upstar.com.ua> In-Reply-To: <1208338114.7003.1.camel@norman-laptop> References: <4805C08A.1060308@upstar.com.ua> <1208338114.7003.1.camel@norman-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
Norman Maurer пишет: > Am Mittwoch, den 16.04.2008, 12:02 +0300 schrieb Roman Otsaljuk: > >> hi all. >> i have two localnets linked over ipsec: >> >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html >> >> network schema: >> >> 192.168.0.0/24 <---> [192.168.0.12=freebsd=2.2.2.2] <--inet--> >> [1.1.1.1=freebsd1=10.31.0.5] <---->10.31.0.5/26 >> >> on both points was 6.2, firewall - pf. >> after updating to 7.0 vpn doesn't work: >> 0) pings go normal >> 0) tcp packets go too, but third packet with R flag: >> from 192.168.0.12 try: ssh 10.31.0.42, on second console: >> mail# tcpdump -ni gif0 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on gif0, link-type NULL (BSD loopback), capture size 68 bytes >> 10:49:43.912469 IP 192.168.0.12.63996 > 10.31.0.42.22: S 1756351354:1756351354(0) win 65535 <mss 1240,nop,wscale 3,sackOK,timestamp 51087105 0> >> 10:49:43.936245 IP 217.20.174.35 > 195.43.43.238: IP 10.31.0.42.22 > 192.168.0.12.63996: S 4244314344:4244314344(0) ack 1756351355 win 65535 <mss 1460,[|tcp]> (ipip-proto-4) >> 10:49:43.936360 IP 192.168.0.12.63996 > 10.31.0.42.22: R 1318200353:1318200353(0) win 0 >> >> 0) adding the first rule (pass quick all) on both - without changes; >> 0) downing pf: in localnet, in wich pf downed - all good. >> >> >> any ideas? >> >> >> p.s. the same if IPsec replaced by vpnd-------- >> sorry my bad English >> > > Freebsd 7.0 use the "new" ipsec implementation (IPSEC_FAST) so you need > to allow ipencap protocol too.. > > Cheers > Norman > > > > is not rule "pass quick all" allows ipencap?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4805CF37.70008>